Sign up to receive free email alerts when patent applications with chosen keywords are publishedSIGN UP

Abstract:

A system and method for marking and controlling the transfer of
information between several users (2i, 9i). An authority (3) marks
information to be transmitted. A directory (4) or device containing the
certificates of all users as well as the certificates of all the
components of the architecture. A security office (5) is used to, a key
management device (6a) and a privilege management device (6b).

Claims:

1. A method for marking and controlling the transfer of information
between several users comprising the following steps:a user issues an
application request for information labeling,transmitting a labeling
application to a labeling authority on which the user is
authenticated,wherein the labeling authority:cleans the transmitted
information according to a defined security policy,verifies from a
directory the right of the user to handle the information,associates in a
reliable manner the information+label couple, by using a cryptographic
resource,the labeling authority then transmits the information+label
couple to the user for verification of non-corruption of the labeled
information and, after verification, it transmits this couple to a
security office which registers the object (information+label),the
security office then delivers the information to users who make
application for it according to the information contained in the label,
the rights of the authenticated user, and according to a given policy.

2. The method as claimed in claim 1, wherein the transfer of information
is carried out between the first clients of a first network with a given
confidentiality level, and the second clients of a second network with a
lower confidentiality level than that of the first networks, comprising:a
filtering gateway verifies the integrity of the couple (information and
label) and the identity of the user and transfers the file if the
security policy authorizes it,the labeled information is stored on the
second network,when a client issues a request for the recovery of
information, a security office verifies, according to the rights of the
client and in relation to the information of the label and the security
policy, whether delivery of the information is authorized.

3. A system for marking and controlling the transfer of information
between several users comprising:an authority connected to a network for
marking information to be transmitted,a directory or device connected to
the network containing the certificates of all users as well as the
certificates of all the components of the architecture,a security office
connected to the network,a key management device each connected to the
network and a privilege management device.

4. The system as claimed in claim 3, comprising at least two networks, a
first network on which the users are connected and a second network on
which the users are connected, the confidentiality level of the second
network having a lower confidentiality level than that of first network
and a filtering gateway disposed between the two networks.

Description:

CROSS-REFERENCE TO RELATED APPLICATIONS

[0001]The present Application is based on International Application No.
PCT/EP2006/069950, filed on Dec. 19, 2006, which in turn corresponds to
French Application No. 05/13220 filed on Dec. 23, 2005, and priority is
hereby claimed under 35 USC §119 based on these applications. Each
of these applications are hereby incorporated by reference in their
entirety into the present application.

FIELD OF THE INVENTION

[0002]The invention notably concerns a system architecture and method for
controlling the transfer of information between several users, according
to the level of sensitivity of the information.

[0003]It applies, notably, to the control of the flow of information
leaving a first network having a given confidentiality level to a second
network having a lower confidentiality than that of the first network.

[0004]The word "labeling" will be used for denoting a solution for marking
information or numerical objects that notably makes it possible:
[0005]To control access to objects according to the rights of users in
accordance with a security policy, defined for example by a person in
charge of a system, [0006]To filter objects transmitted between entities
with different security levels, by ensuring that only authorized
information passes.

SUMMARY OF THE INVENTION

[0007]The invention relates to a method for marking and controlling the
transfer of information between several users, characterized in that is
comprises at least the following steps: [0008]A user issues an
application request for information labeling, [0009]The labeling
application is transmitted to a labeling authority on which the user is
authenticated, [0010]The labeling authority: [0011]cleans the
transmitted information according to a defined security policy,
[0012]verifies from a directory the right of the user to handle the
information, [0013]associates in a reliable manner the information+label
couple, by using a cryptographic resource, [0014]The labeling authority
then transmits the information+label couple to the user for verification
of non-corruption of the labeled information and, after verification, it
transmits this couple to a security office which registers the object
(information+label), [0015]The security office then delivers the
information to users who make application for it according to the
information contained in the label, the rights of the authenticated
applicant user, and according to a given policy. The security policy may
be defined by a network administrator.

[0016]The transfer of information is carried out, for example, between
clients of a first network with a given confidentiality level, and
clients of a second network with a lower confidentiality level than that
of the first network and comprises at least the following steps:
[0017]a filtering gateway verifies the integrity of the couple
(information and label) and the identity of the user and transfers the
file if the security policy authorizes it, [0018]the labeled information
is stored on the second network, [0019]when a client issues a request for
the recovery of information, a security office verifies, according to the
rights of the client and in relation to the information of the label and
the security policy, whether delivery of the information is authorized.

[0020]The invention also relates to a system for marking and controlling
the transfer of information between several users, characterized in that
it comprises at least the following elements: [0021]An authority for
marking (or applying a label to) information to be transmitted, [0022]A
directory or device containing the certificates of all users as well as
the certificates of all the components of the architecture, [0023]A
security office, [0024]A key management device and a privilege management
device.

[0025]The system may comprise at least two networks, a first network on
which the first users are connected and a second network on which one or
more second users are connected, the confidentiality level of the second
network that has a lower confidentiality level than that of the first
network and may include a filtering gateway disposed between the two
networks.

[0026]The present invention notably makes it possible to deliver
information only to persons authorized to receive it. It ensures that
information is authorized to leave the reliability network within the
framework of the transfer of information between networks.

[0027]The invention enables the security level of the solution to be
increased while reducing the possibilities of hidden channels on the
flow, the method processing objects, information and not flows.

[0028]Still other objects and advantages of the present invention will
become readily apparent to those skilled in the art from the following
detailed description, wherein the preferred embodiments of the invention
are shown and described, simply by way of illustration of the best mode
contemplated of carrying out the invention. As will be realized, the
invention is capable of other and different embodiments, and its several
details are capable of modifications in various obvious aspects, all
without departing from the invention. Accordingly, the drawings and
description thereof are to be regarded as illustrative in nature, and not
as restrictive.

BRIEF DESCRIPTION OF DRAWINGS

[0029]The present invention is illustrated by way of example, and not by
limitation, if figures of the accompanying drawings, wherein elements
having the same reference numeral designations represent like elements
throughout and wherein:

[0030]FIG. 1 is an example of an assembly of elements employed in the
system according to the invention, and

[0031]FIG. 2 is an example of a system architecture according to the
invention.

DETAILED DESCRIPTION OF THE INVENTION

[0032]FIG. 1 represents an assembly of elements employed according to the
invention, for the transfer of information between several users forming
part of one or more different networks, the transmitted information
having a confidential nature.

[0033]Information is, for example, a numerical object, an electronic
message, a file, etc.

[0034]The architecture comprises, for example, one or more clients 2i, a
labeling authority 3, a directory 4, a security office 5, a device 6a and
a device 6b shown schematically in a common block on the figure, of which
the functions are described hereinafter.

[0036]The labeling authority 3 has notably for its function the
application of labels on all objects or information of users of the
system. It also includes a cryptographic resource in order to associate
the information+label couple in a reliable manner.

[0037]The device 6a is an infrastructure having notably the function of
key management. It generates key certificates of the confidence network
for all those participating in the system, the clients, and devices
employed in the method according to the invention.

[0038]The device 6b is a privilege management infrastructure. It enables
notably the rights of various participants in the system to be managed.
It generates, for example, privilege certificates.

[0039]The directory 4 stores, notably, the creations of the devices 6a and
6b, usually known as KMI (key management infrastructure) and PMI
(privilege management infrastructure).

[0040]The method and the system according to the invention apply, for
example, for flows leaving a first network with a given confidence level
to a second network with a lower confidence level than that of the first
network. FIG. 2 describes an architecture for such a system.

[0041]The system comprises, for example, a first network with a high
sensitivity 1 called "the high network" on which the various elements are
connected such as: one or more clients 2i, a labeling authority 3, a
directory 4, a security office 5, a device 6a and a device 6b shown
schematically on a common block on the figure, of which the functions are
described hereinafter.

[0042]The high network 1 is connected by a filtering gateway 7 to a second
low sensitivity network 8, called <<the low network>> since
it has a confidence level lower than that of the high network. One or
more clients 9i and a security office 10 are connected to the low
sensitivity network.

[0043]The filtering gateway 7 has notably the function of verifying that
the information may or may not pass from one network to another. It
ensures the interconnection of networks. It filters, for example, the
information level and network protocols, etc.

[0044]The solution employed in this example rests on a directory 4 that
contains the certificates of all users as well as the certificates for
all components for the architecture, for identifications.

[0045]The system is implemented, for example, in the manner described
hereinafter.

[0046]An applicant or client 2i of the high sensitivity network 1 who
desires to transfer information to the low sensitivity network 8, issues
a request to the labeling authority for applying a label to the
information. In order to create an information labeling application, the
applicant or client 2i completes a form comprising an assembly of fields.
This is carried out for example on the client terminal itself. The fields
may contain data associated with the information to be transmitted such
as the name of the person issuing the information, the classification
level for this information, the recipient of the information, etc.

[0047]The application is then transmitted to the labeling authority 3. The
transmission of information (object+form), between the labeling authority
and the applicant client is protected. The protection of exchanges
between the two networks is carried out by a method of authentication and
encryption known to a person skilled in the art, such as for example the
secure socket layer protocol SSL.

[0048]On receiving the information, the labeling authority carries out
various steps, for example: [0049]It "cleans" the transmitted
information (suppression of hidden channels) according to the security
policy defined by the user organization responsible for security. The
hidden channels are for example means that enable information to be
transferred without the knowledge of the user; for example the hidden
fields of Word files marketed by Microsoft, not seen by the user when
opening a file with Word. [0050]It verifies with the directory 4 the
right of the user 2i for labeling information, [0051]It utilizes its
cryptographic resource for associating, in a secure manner, by sealing
for example, the information+label couple.

[0052]The new object (information+label) is then retransmitted to the user
or applicant client 2i for verification and to the "security office
server" 5 capable of storing and delivering labeled information to other
users. Verification consists, for example, of checking that the
information has not been corrupted by cleaning and applying the label.
[0053]The safety office 5 records a copy of the object (information and
label), and then transmits the labeled information to a security gateway,
towards the outside. [0054]At the time of passage, the filtering gateway
7 verifies the sealing and integrity of the couple (information+label),
identifies the user and transfers the file if the security policy allows
it. [0055]The information is stored on the security office server of the
low sensitivity network.

[0056]When a client 9i of the low network asks the security office server
to deliver information to him, the security office 10 verifies, according
to the rights of the user with regard to the label associated with the
information and security policy, whether it may deliver the information
to him.

[0057]It is possible to use the XML standard as a container for the
labeled information. Metadata require taking XML standards into account.

[0058]The system and method described above apply, for example, to the
following fields: pharmaceutical networks, research, banking networks,
and all systems in which it is desired to transfer information from a
network having one confidence level to a network with a lower confidence
level.

[0059]Without departing from the scope of the invention, a centralized
labeling authority may be used or one distributed over all or some client
terminals.

[0060]It will be readily seen by one of ordinary skill in the art that the
present invention fulfills all of the objects set forth above. After
reading the foregoing specification, one of ordinary skill in the art
will be able to affect various changes, substitutions of equivalents and
various aspects of the invention as broadly disclosed herein. It is
therefore intended that the protection granted hereon be limited only by
definition contained in the appended claims and equivalents thereof.